The Honeynet Project

Founded in 1999, The Honeynet Project is an international, non-profit (501c3) research organization dedicated to improving the security of the Internet at no cost to the public.

For the past ten years everything we have done and continue to do is based on the principles of opensource and volunteer efforts. Our bylaws specifically state any software or papers developed and published by the organization must be licensed as open source and made freely available to the community.

Our goal is to help coordinate the development, deployment, advancement and research findings of honeypot related technologies. With over thirty chapters, one hundred members and twenty opensource research projects around around the world, we are a highly diverse and international organization.

Simply put, our goal is to make a difference. We accomplish this goal in the following three ways:

Awareness We raise awareness of the threats and vulnerabilities that exist in the Internet today. Many individuals and organizations do not realize they are a target, nor understand who is attacking them, how, or why. We provide this information so people can better understand they are a target, and understand the basic measures they can take to mitigate these threats. This information is provided through our Know Your Enemy series of papers.

Information For those who are already aware and concerned, we provide details to better secure and defend your resources. Historically, information about attackers has been limited to the tools they use. We provide critical additional information, such as their motives in attacking, how they communicate, when they attack systems and their actions after compromising a system. We provide this service through our Know Your Enemy whitepapers and our Scan of the Month challenges.

Tools For organizations interested in continuing their own research about cyber threats, we provide the tools and techniques we have developed. We provide these through our Tools Site.

This year in Google Summer of Code we have a wide range of project ideas and we are also interested in your ideas that advance the community knowledge into new areas. Our projects and skill sets cover a wide range of programming languages (C, C++, python, PHP, perl, java, javascript, Processing, etc), database/SQL, IP networking, kernel and device driver development, UI and web interface development, databases, IDS, data visualization, etc. Project idea difficulty can range from fairly challenging, low level root kit / kernel / hypervizor modification type projects that are likely to appeal to pretty confident programmers, through to less code intensive but equally interesting data analysis and presentation projects building effective user interfaces.

If you want to find out more, take a look at our project ideas web page, subscribe to our blog and public GSoC questions mailing list come and say hello on the #gsoc2012-honeynet IRC channel on irc.freenode.net (you can connect via webchat if you are behind a firewall or don't have a command line client too). There should be a mix of organisational admins, project mentors, past successful GSoC students, general Honeynet Project members and prospective students, so feel free to ask questions and we will always try and get back to you. If you are new to IRC, try reading an online primer but don't be worried, we'll be happy to help you get up to speed.

Projects

AfterGlow Cloud
I plan to implement the current command-line version of the AfterGlow script as a service on the web. The web service would enable users to run and generate a visual view of a graph based on the CSV files and configurations given by the end user.

Automated Attack Community Graph Construction
A large amount of honeypot logs result in difficulties in data analysis and interpretation. In order to alleviate expert's workload and complexity of data analytic, this GSoC idea is to automatically build attack community graph for eliciting attack approaches and intention description.
The GSoC idea will be divided into three stages. The first constructs attack graph by extracting relationship among criminals, victims and malicious servers from honeypot logs. With centrality calculation mechanism I can apply centrality to groups in addition to individual attack approach actors. The second is to evaluate the relative centrality of different attack approaches actors for integrating into attack community graph and presenting its behavior intentions. The third is to develop a APP to present attack community graph and integrate into Splunk platform, where Honeynet Project stores logs and shows the daily analysis results.

Automated Attack Community Graph Construction
The goal of this project is to implement a Splunk application that can be deployed on a central server to automatically generate community attack graphs from a set of honeypot sources distributed across networks. An attack graph is a collection of scenarios showing how a malicious agent can compromise the integrity of a target system. When built from a wide range of sensors, it can provide a comprehensive view of attackers behavior at a large scale.

Data mining module, finding frequent network-itemsets
This project aims to apply data mining techniques for finding interesting information in the dionaea-logged connections. It can be helpful in discovering network distributed attacks, penetrations , port scans (even those carried out very very slow) and unusually too many connections from or to single resources (addresses, ports and so on). Data mining techiques help filtering interesing information from big loads of data, mixing network security and DM may bring new tools for threats analysis.

Further extend Capture-HPC with possibility of detecting malicious behavior on Linux Machines
Capture-HPC is a high-interaction client honeypot developed to detect client-side attacks. It consists of two parts: server and client. Server part manages multiple client instances run on virtualized Windows systems.
Recently a basic Capture-HPC client for Linux machines was developed by Mr Maciej Szawłowski as a part of his BSc thesis at Warsaw University of Technology. The main goal of the project is to further extend functionality of this client software and to better integrate it with Linux operating system architecture
As Linux operating systems gain popularity, it is highly probable that soon a new line of threats targeting Linux users will arise. Extending Capture-HPC with functionality proposed below will greatly contribute to the knowledge of attacks against Linux client software, especially the web browsers.

Glastopf improvements
The project aims at implementing several ideas that will enhance the functionality of Glastopf (new version to be called Glaspot v3) as a web application honeypot.
Glaspot is going to be more autonomous as the HTTP requests get automatically classified. Also, new patterns will be extracted from the classified requests. Requests using the POST method will be handled. Forms and scripts will be added for attracting and trapping comment spammers and brute forcers. The PHP sandbox will be made more secure and fingerprint resistant. FTP attacks are also going be analyzed.

HonEeeBox User Interface
The project aims to develop a web UI that provides browsing and statistical overview for data collected by the HonEeeBox sensor network with emphasis on data visualisation.

HoneyProxy - HTTP(S) Traffic Investigation
The project's goal is to develop a light HTTP/HTTPS proxy for web traffic investigation. We'd like to focus on features that are useful in a forensic context in order to provide a tool tailored to the needs of Security researchers.

Improve our Android application sandbox (DroidBox)
DroidBox is developed by Patrik Lantz to offer dynamic analysis of Android applications. Suspicious behavior and information leakage are logged by running Android application in an instrumented emulator. I intend to extend functions and usability of DroidBox by porting it to Android 2.3, provide more API trace. I will also introduce a new apk repackaging method to
avoid endless upgrade of DroidBox.

Improving APKInspektor
Android platform is now a focus of attackers and security researchers. It’s very essential to provide a convenient and multi-functional tool to detect and analyze the malware. I’d like to improve the APKInsepctor with improvement of UI and adding of more features to assist the analysis of malware. The new version of APKinspector will be a powerful tool with multiple security functions such as permission analysis and static analysis as well as a user-friendly tool with convenient GUI and easy-to-use configuration. The planned new feature includes but not limited to fine-grained CFG, permission analysis model, call graph, data flow analysis and repackaging.

IPv6 attack detector
The ultimate goal of this proposal is developing a cross-platform software that can detect specific IPv6 attacks from THC-IPv6 and can even secure the IPv6 network against some types of attack.

Network Analyzer
Web based packet analyzer that will aim an automated analyzer for the uploaded pcap files. The aim will be the open alternative for http://netwitness.com/products-services/investigator.
The first fulfillments will include visualization of the analyzed traffic, application level information information display and the plugin support for the malware and anomalies.

network malware simulation
In one of my previous open source project SADIT, I implemented an abnormal traffic generator based on two simple models. For the GSoC project, I would like to extend the ideas of SADIT, making it more similar to the real world malware network behavior.

Project 6 - IPv6 attack detector
ith the growth of Internet, IPv6 are starting to be put into use more widely on global internet, is expected to fully replace IPv4 in the future. With this growth, some vulnerabilities has been identified in this protocol suite and be used in some malicious tool so this proposal mainly focus on develop a tool that can detect and prevent that kind of attack, so far it can be a framework to detect future attack on ipv6 protocol.